US8018845B2 - Sampling rate-limited traffic - Google Patents

Sampling rate-limited traffic Download PDF

Info

Publication number
US8018845B2
US8018845B2 US11/339,597 US33959706A US8018845B2 US 8018845 B2 US8018845 B2 US 8018845B2 US 33959706 A US33959706 A US 33959706A US 8018845 B2 US8018845 B2 US 8018845B2
Authority
US
United States
Prior art keywords
rate
packets
profile
state
limiting
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active, expires
Application number
US11/339,597
Other versions
US20070171824A1 (en
Inventor
Natale Ruello
Farrukh Reza Naqvi
Anusankar Elangovan
Gaetano Borgione
Suran De Silva
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Cisco Technology Inc
Original Assignee
Cisco Technology Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Cisco Technology Inc filed Critical Cisco Technology Inc
Priority to US11/339,597 priority Critical patent/US8018845B2/en
Assigned to CISCO TECHNOLOGY, INC. A CORPORATION OF CALIFORNIA reassignment CISCO TECHNOLOGY, INC. A CORPORATION OF CALIFORNIA ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: ELANGOVAN, ANUSANKAR, DE SILVA, SURAN, NAQVI, FARRUKH REZA, RUELLO, NATALE, BORGIONE, GAETANO
Publication of US20070171824A1 publication Critical patent/US20070171824A1/en
Application granted granted Critical
Publication of US8018845B2 publication Critical patent/US8018845B2/en
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/02Capturing of monitoring data
    • H04L43/022Capturing of monitoring data by sampling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/16Threshold monitoring

Definitions

  • One embodiment of the invention relates to communications and computer systems, especially routers, packet switching systems, and other devices; and more particularly, one embodiment relates to sampling rate-limited traffic, such as, but not limited to a rate limiter with at least three rate-limiting states including an out-of-profile leak state wherein packets are sampled.
  • sampling rate-limited traffic such as, but not limited to a rate limiter with at least three rate-limiting states including an out-of-profile leak state wherein packets are sampled.
  • IP Internet Protocol
  • Traffic rate-limiting mechanisms are used to ensure packet traffic conforms to certain predetermined rates. These can be used to protect systems from attacks (e.g., denial-of-service) and to ensure packet traffic conforms to subscribed rates.
  • FIG. 1A illustrates one such prior approach wherein when a rate limiter is in an in-profile forwarding state 100 , packets are forwarded normally.
  • the state of the rate limiter switches to an out-of-profile rate-limiting state 102 , wherein packets are rate-limited, such as, but not limited to being dropped or redirected to another location or processor.
  • the rate drops below the threshold (e.g., the rate over time decreases or a new measuring time period commences)
  • the state switches back to in-profile forwarding state 100 .
  • FIG. 1B illustrates a prior art system using a rate limiter for limiting multiple different types and/or streams of traffic.
  • Packets are first classified by classification mechanism 110 (e.g., an associative memory such as a ternary content-addressable memory) to identifying which set of rate-limiting parameters to use.
  • Rate-limiting mechanism 112 retrieves the corresponding parameters 114 based on the rate-limiter indication and performs the appropriative forwarding or rate-limiting operation based on its current state as illustrated by and described in relation to FIG. 1A .
  • Clock or timer 116 provides the timing references as the current rate of a classification of traffic is determined based on a number of packets received in a given time period or over time.
  • a problem with these prior art rate-limiting systems is that they provide minimal information about the traffic (e.g., statistics of the number of packets dropped) or they redirect all the out-of-profile packets to a processing mechanism, which can be overwhelmed by the number of packets.
  • rate limits and samples rate-limited packet traffic maintains a representation of a current rate of packet traffic.
  • the current rate corresponds to one of multiple rate-limiting states, which include an in-profile forwarding state corresponding to the current rate of packet traffic being below a first threshold, an out-of-profile leak state corresponding to the current rate of traffic being above the first threshold and below a second threshold, and an out-of-profile rate-limiting state corresponding to the current rate of traffic being above the second threshold.
  • Packets are rate-limited (i.e., throttled or not throttled) according to the rate-limiting state corresponding to the current rate of packet traffic, wherein packets are forwarded normally during the in-profile forwarding state, one or more of the packets are selected during the out-of-profile leak state such that said selected packets are forwarded to a processing mechanism for processing said selected packets while any non-selected packets during the out-of-profile leak state are rate-limited of a first type, and packets during the out-of-profile rate-limiting state are rate-limited of a second type.
  • exactly one packet is selected during the out-of-profile leak state.
  • multiple particular packets are selected during the out-of-profile leak state, with these particular packets including at least two consecutively received packets.
  • rate limiting of the first type causes the packets to be dropped and said rate limiting of the second type causes the packets to be dropped.
  • the processing mechanism identifies a threat condition based on one or more of said selected packets, and in response to said identified threat condition, defensive action is taken to reduce said identified threat condition.
  • the defensive action includes adjusting at least one of the first or second thresholds.
  • FIGS. 1A-B are block diagrams illustrating prior approaches for rate-limiting of traffic
  • FIG. 2 is a block diagram illustrating multiple rate-limiting states including an out-of-profile leak state used in one embodiment
  • FIG. 3A is a block diagram of a system that samples rate-limited traffic, analyzes these samples, and reacts to identified conditions;
  • FIG. 3B is block diagram of a system or component used in one embodiment
  • FIGS. 4A-C illustrate the operation of one embodiment that uses multiple rate-limiting states including an out-of-profile leak state in rate limiting of traffic;
  • FIGS. 5A-C illustrate the operation of one embodiment that uses multiple rate-limiting states including an out-of-profile leak state in rate limiting of traffic.
  • FIG. 6 illustrates a process used in one embodiment for analyzing sampled rate-limited traffic and reacting to identified conditions.
  • embodiments described herein include various elements and limitations, with no one element or limitation contemplated as being a critical element or limitation.
  • Each of the claims individually recites an aspect of the invention in its entirety.
  • some embodiments described may include, but are not limited to, inter alia, systems, networks, integrated circuit chips, embedded processors, ASICs, methods, and computer-readable media containing instructions.
  • One or multiple systems, devices, components, etc. may comprise one or more embodiments, which may include some elements or limitations of a claim being performed by the same or different systems, devices, components, etc.
  • the embodiments described hereinafter embody various aspects and configurations within the scope and spirit of the invention, with the figures illustrating exemplary and non-limiting configurations.
  • computer-readable media and means for performing methods and processing block operations are disclosed and are in keeping with the extensible scope and spirit of the invention.
  • packet refers to packets of all types or any other units of information or data, including, but not limited to, fixed length cells and variable length packets, each of which may or may not be divisible into smaller packets or cells.
  • packet as used herein also refers to both the packet itself or a packet indication, such as, but not limited to all or part of a packet or packet header, a data structure value, pointer or index, or any other part or direct or indirect identification of a packet or information associated therewith.
  • these packets may contain one or more types of information, including, but not limited to, voice, data, video, and audio information.
  • the term “item” is used generically herein to refer to a packet or any other unit or piece of information or data, a device, component, element, or any other entity.
  • processing a packet typically refers to performing some steps or actions based on the packet contents (e.g., packet header or other fields), and such steps or action may or may not include modifying, storing, dropping, and/or forwarding the packet and/or associated data.
  • packet processing typically refers to performing some steps or actions based on the packet contents (e.g., packet header or other fields), and such steps or action may or may not include modifying, storing, dropping, and/or forwarding the packet and/or associated data.
  • the term or reference to “dropping” a packet or a variant thereof e.g., drop the packet, the packet is dropped, etc.
  • marking or distinguishing the packet for subsequent dropping or potentially different processing e.g., a higher probability of being dropped by subsequent processing, Early Congestion Notification marking, etc.
  • system is used generically herein to describe any number of components, elements, sub-systems, devices, packet switch elements, packet switches, routers, networks, computer and/or communication devices or mechanisms, or combinations of components thereof.
  • computer is used generically herein to describe any number of computers, including, but not limited to personal computers, embedded processing elements and systems, control logic, ASICs, chips, workstations, mainframes, etc.
  • processing element is used generically herein to describe any type of processing mechanism or device, such as a processor, ASIC, field programmable gate array, computer, etc.
  • device is used generically herein to describe any type of mechanism, including a computer or system or component thereof.
  • task and “process” are used generically herein to describe any type of running program, including, but not limited to a computer process, task, thread, executing application, operating system, user process, device driver, native code, machine or other language, etc., and can be interactive and/or non-interactive, executing locally and/or remotely, executing in foreground and/or background, executing in the user and/or operating system address spaces, a routine of a library and/or standalone application, and is not limited to any particular memory partitioning technique.
  • network and “communications mechanism” are used generically herein to describe one or more networks, communications media or communications systems, including, but not limited to the Internet, private or public telephone, cellular, wireless, satellite, cable, local area, metropolitan area and/or wide area networks, a cable, electrical connection, bus, etc., and internal communications mechanisms such as message passing, interprocess communications, shared memory, etc.
  • messages is used generically herein to describe a piece of information which may or may not be, but is typically communicated via one or more communication mechanisms of any type.
  • storage mechanism includes any type of memory, storage device or other mechanism for maintaining instructions or data in any format.
  • Computer-readable medium is an extensible term including any memory, storage device, storage mechanism, and other storage mechanisms.
  • memory includes any random access memory (RAM), read only memory (ROM), flash memory, integrated circuits, and/or other memory components or elements.
  • storage device includes any solid state storage media, disk drives, diskettes, networked services, tape drives, and other storage devices. Memories and storage devices may store computer-executable instructions to be executed by a processing element and/or control logic, and data which is manipulated by a processing element and/or control logic.
  • data structure is an extensible term referring to any data element, variable, data structure, database, and/or one or more organizational schemes that can be applied to data to facilitate interpreting the data or performing operations on it, such as, but not limited to memory locations or devices, sets, queues, trees, heaps, lists, linked lists, arrays, tables, pointers, etc.
  • a data structure is typically maintained in a storage mechanism.
  • pointer and link are used generically herein to identify some mechanism for referencing or identifying another element, component, or other entity, and these may include, but are not limited to a reference to a memory or other storage mechanism or location therein, an index in a data structure, a value, etc.
  • first, second, etc. are typically used herein to denote different units (e.g., a first element, a second element).
  • the use of these terms herein does not necessarily connote an ordering such as one unit or event occurring or coming before another, but rather provides a mechanism to distinguish between particular units.
  • the use of a singular tense of a noun is non-limiting, with its use typically including one or more of the particular thing rather than just one (e.g., the use of the word “memory” typically refers to one or more memories without having to specify “memory or memories,” or “one or more memories” or “at least one memory”, etc.).
  • the phrases “based on x” and “in response to x” are used to indicate a minimum set of items “x” from which something is derived or caused, wherein “x” is extensible and does not necessarily describe a complete list of items on which the operation is performed, etc.
  • the phrase “coupled to” is used to indicate some level of direct or indirect connection between two elements or devices, with the coupling device or devices modifying or not modifying the coupled signal or communicated information.
  • the term “subset” is used to indicate a group of all or less than all of the elements of a set.
  • the term “subtree” is used to indicate all or less than all of a tree.
  • One embodiment for rate limiting and sampling rate limited packets includes: maintaining a representation of a current rate of packet traffic for a classification of traffic, the current rate corresponding to one of a plurality of rate limiting states, the plurality of rate limiting states including an in profile forwarding state corresponding to the current rate of packet traffic being below a first threshold, an out of profile leak state corresponding to the current rate of traffic being above the first threshold and below a second threshold, and an out of profile rate limiting state corresponding to the current rate of traffic being above the second threshold; and rate limiting packets of said packet traffic according to said rate limiting state corresponding to the current rate of packet traffic, wherein packets are forwarded normally during the in profile forwarding state, one or more of the packets are selected during the out of profile leak state such that said selected packets are forwarded to a processing mechanism for processing said selected packets while any non selected packets during the out of profile leak state are rate-limited of a first type, and packets during the out of profile rate limiting state are rate-limited of a second type
  • exactly one packet is selected during the out of profile leak state.
  • a plurality of particular packets are selected during the out of profile leak state, said particular packets including at least two consecutively received packets.
  • said rate limiting of the first type causes the packets to be dropped and said rate limiting of the second type causes the packets to be dropped.
  • the processing mechanism identifies a threat condition based on one or more of said selected packets, and in response to said identified threat condition, defensive action is taken to reduce said identified threat condition.
  • said defensive action includes adjusting at least one of the first or second thresholds.
  • exactly one packet is selected during the out of profile leak state.
  • a plurality of particular packets are selected during the out of profile leak state, said particular packets including at least two consecutively received packets.
  • said defensive action includes installing an access control list entry in an access control list being applied to said packet traffic to counter said identified threat condition.
  • One embodiment includes: a classification mechanism for classifying packet traffic into a plurality of classified packet traffic flows; a rate limiter configured to rate limit traffic of said classified packet traffic flows according to a current rate limiting state of a plurality of rate limiting states identified based on a current rate of packet traffic for, the plurality of rate limiting states including an in profile forwarding state, an out of profile leak state, and an out of profile rate limiting state; wherein said rate limiting of traffic according to the current rate limiting state includes forwarding packets normally during the in profile forwarding state, sampling packets during the out of profile leak state such that said sampled packets are forwarded to a processing mechanism while non sampled packets during the out of profile leak state are rate-limited of a first type, and packets during the out of profile rate limiting state are rate-limited of a second type.
  • One embodiment comprises the processing mechanism configured for analyzing leaked packets and to reacting to identified conditions based on an analysis of said leaked packets.
  • said reacting to identified conditions includes adjusting a rate threshold defining said in profile forwarding state.
  • the current rate limiting state transitions from the in profile forwarding state to the out of profile leak state and then to the out of profile rate limiting state.
  • the current rate limiting state transitions from the out of profile leak state to the out of profile rate limiting state in response to achieving a predetermined number of packets.
  • One embodiment includes: means for identifying a current rate limiting state of a plurality of rate limiting states for a classification of traffic, the plurality of rate limiting states including an in profile forwarding state, an out of profile leak state, and an out of profile rate limiting state; and means for rate limiting packets of said packet traffic according to said rate limiting state, wherein packets are forwarded normally during the in profile forwarding state, one or more of the packets are selected during the out of profile leak state such that said selected packets are forwarded to a processing mechanism for processing said selected packets while any non selected packets during the out of profile leak state are rate-limited of a first type, and packets during the out of profile rate limiting state are rate-limited of a second type.
  • One embodiment includes means for performing defensive action; wherein the processing mechanism is configured to identify a threat condition based on one or more of said selected packets, and said means for performing defensive action is responsive to said identifying the threat condition by the processing mechanism.
  • exactly one packet is selected during the out of profile leak state.
  • a plurality of particular packets are selected during the out of profile leak state, said particular packets including at least two consecutively received packets.
  • said means for identifying a current rate limiting state includes means for identifying a current rate of packet traffic.
  • said means for identifying a current rate of packet traffic includes means for updating a token value.
  • said means for identifying a current rate of packet traffic includes means for updating a main token value and a burst token value.
  • One embodiment of rate limiting and sampling rate limited packet traffic includes: maintaining a representation of a current rate of packet traffic for a classification of traffic, the current rate corresponding to one of a plurality of rate limiting states, the plurality of rate limiting states including an in profile forwarding state corresponding to the current rate of packet traffic being below a first threshold, an out of profile leak state corresponding to the current rate of traffic being above the first threshold and below a second threshold, and an out of profile rate limiting state corresponding to the current rate of traffic being above the second threshold; and rate limiting packets of said packet traffic according to said rate limiting state corresponding to the current rate of packet traffic, wherein packets are forwarded normally during the in profile forwarding state, one or more of the packets are selected during the out of profile leak state such that said selected packets are both forwarded normally and sent to a processing mechanism for processing, and packets during the out of profile rate limiting state are forwarded normally or rate-limited of a second type.
  • all packet are selected during the out of profile leak state. In one embodiment, packets are not forwarded normally during the out of profile rate limiting state.
  • FIG. 2 is a block diagram illustrating multiple rate-limiting states including an out-of-profile leak state used in one embodiment.
  • the rate limiter is in in-profile forwarding state 200 when the traffic conforms to its predetermined rate. Traffic is typically forwarded normally when the rate limiter is in in-profile forwarding state 200 .
  • the rate exceeds a first predetermined threshold rate ( 205 )
  • the current state of the rate limiter changes to out-of-profile leak state 210 .
  • packets are sampled (also referred to as packets being “leaked”) and redirected to a particular destination, such as, but not limited to a processing mechanism (e.g., a system that analyzes the sampled packets and/or logs the sampled packets and/or performs some other function).
  • This sampling of packets may include only redirecting the packet, or redirecting the packet as well as forwarding the packet normally, i.e., in other words, the packet (or a copy thereof) is both forwarded as normal and redirected or otherwise forwarded to a processing mechanism.
  • the state changes ( 215 ) to out-of-profile rate-limiting state 220 , in which packets are typically dropped or redirected to another destination (i.e., the packets are typically not forwarded normally).
  • the state of the rate limiter transitions ( 207 , 209 ) back to in-profile forwarding state 200 in response to the rate dropping below the first threshold (e.g., the rate over time decreases or a new measuring time period commences).
  • one embodiment provides a programmable type of rate limiting for each of the rate-limiting states, with these programmable types of rate limiting including, but not limited to forwarding as normal, redirect (e.g., forward to a specified destination), drop, forward and snoop (e.g., forward as well as provide a copy to another destination), redirect and snoop, and drop and snoop.
  • FIG. 3A is a block diagram of a system that samples rate-limited traffic, analyzes these samples, and reacts to identified conditions.
  • a packet 300 is received and then is classified by classification mechanism 306 to identify which rate limiter the packet corresponds (specified by rate-limiter indication 307 ).
  • rate limiter refers to a rate-limiting mechanism with corresponding rate-limiting parameters and/or the measured and/or approximated current traffic rate for a particular classification of packets.
  • Rate-limiting mechanism 312 retrieves for the corresponding rate-limiting parameters, current traffic rate, and/or current rate-limiting state ( 314 ) based on rate-limiter indication 307 , and rate limits the corresponding packet 309 accordingly.
  • the exact retrieved information depends on the embodiment. For example, one embodiment maintains a current token value and one or more threshold values for each classification of packets in memory or registers 314 , which allows rate-limiting mechanism to readily identify the current rate-limiting state.
  • mechanism 314 maintains these values and merely provides rate-limiting mechanism the current rate-limiting state corresponding to the packet 309 to be rate limited.
  • rate-limiting mechanism is responsive to clock or timer 316 , as a rate is a function of time.
  • one embodiment represents the measurement of the current rate as a current number of tokens in a current time period, with the tokens being re-initialized every expiration of the time period.
  • the number of packets or bytes thereof are maintained with a calculation performed based on a time duration to identify the current packet rate.
  • the number of packets or bytes thereof are maintained and are aged over time.
  • Rate-limiting mechanism 312 rate-limits (e.g., forwards normally, drops, redirects, etc.) ( 315 ) packet 309 according to the current rate-limiting state.
  • sampled packets during the out-of-profile leak state are redirected ( 317 ) to processing mechanism 320 , which analyzes these sampled packets. If a condition is detected, such as a denial-of-service attack or other offensive condition (whether malicious or not), processing mechanism 320 may initiate a reaction ( 323 ) to such identified condition to modify the operation of rate-limiting mechanism, such as to modify its transition between states for the corresponding packet classification (and possibly others) such that the offending traffic can be further reduced (e.g., dropped, redirected) such that it does not proceed downstream.
  • a condition such as a denial-of-service attack or other offensive condition (whether malicious or not)
  • processing mechanism 320 may initiate a reaction ( 323 ) to such identified condition to modify the operation of rate-limiting mechanism, such as to modify its transition between states
  • FIG. 3B is block diagram of a system or component 340 used in one embodiment for maintaining performing class-based bandwidth partitioning.
  • system or component 340 performs one or more processes corresponding to one of the flow diagrams or pseudo code illustrated or otherwise described herein.
  • system or component 340 includes a processing element 341 , memory 342 , storage devices 343 , and an interface 344 for sending and receiving packets and/or communicating with external devices (e.g. one or more memories and/or classification/lookup mechanisms), which are typically communicatively coupled via one or more communications mechanisms 349 , with the communications paths typically tailored to meet the needs of the application.
  • external devices e.g. one or more memories and/or classification/lookup mechanisms
  • component 340 may include more or less elements.
  • the operation of component 340 is typically controlled by processing element 341 using memory 342 and storage devices 343 to perform one or more tasks or processes.
  • Memory 342 is one type of computer-readable medium, and typically comprises random access memory (RAM), read only memory (ROM), flash memory, integrated circuits, and/or other memory components.
  • RAM random access memory
  • ROM read only memory
  • flash memory integrated circuits, and/or other memory components.
  • Memory 342 typically stores computer-executable instructions to be executed by processing element 341 and/or data which is manipulated by processing element 341 for implementing functionality in accordance with an embodiment.
  • Storage devices 343 are another type of computer-readable medium, and typically comprise solid state storage media, disk drives, diskettes, networked services, tape drives, and other storage devices.
  • Storage devices 343 typically store computer-executable instructions to be executed by processing element 341 and/or data which is manipulated by processing element 341 for implementing functionality in accordance with an embodiment.
  • FIGS. 4A-C illustrate the operation of one embodiment that uses multiple rate-limiting states including an out-of-profile leak state in rate limiting of traffic.
  • the state diagram illustrated in FIG. 4A illustrates one embodiment of the state diagram illustrated in FIG. 2 , wherein FIG. 4A specifically refers to tokens.
  • the rate-limiting mechanism includes at least the three states of in-profile forwarding state 400 , out-of-profile leak state 410 , and out-of-profile rate-limiting state 420 .
  • each packet classification is allocated a number of tokens corresponding to its authorized rate each time period (e.g., the current token value is reset to this value at the expiration of the measuring period).
  • the current number of tokens is reduced by the number of packets or bytes thereof processed during the current time period.
  • the current rate-limiting state transitions ( 415 ) to out-of-profile leak state 410 .
  • the sampling period expires (e.g., after sampling a predetermined number of packets such as one packet, after sampling at least two consecutive packets, after sampling a predetermined number of packets such as sampling one packet every nth packet received during the out-of-profile leak state ( 410 )
  • the current rate-limiting state transitions ( 417 ) to out-of-profile rate-limiting state 420 .
  • the current rate-limiting state transitions ( 407 , 409 ) to in-profile forwarding state 400 .
  • FIG. 4B illustrates a process used in one embodiment for resetting the number of tokens in a rate limiter. Processing begins with process block 430 , and proceeds to process block 432 , wherein the number of tokens is initialized to a value based on the allowed rate for the corresponding classification of traffic. When the timer expires as determined by process block 435 , processing returns to process block 432 to reset the number of tokens.
  • FIG. 4C illustrates a process used in one embodiment for rate-limiting traffic. Processing begins with process block 450 .
  • process block 452 a packet is received (and classified if the corresponding rate-limiter needs to be identified). Note, as one skilled in the art would clearly understand, a packet is classified typically by extracting one or more fields from the packet and then performing a lookup operation using this value as a search key in order to generate a classification indication corresponding to the packet.
  • the number of tokens is decreased (e.g., by one, by the number of bytes in the packet, or by some other amount corresponding to an amount of traffic).
  • the current rate-limiting state identified based on the current number of tokens (for the current rate time period) is the in-profile forwarding state, then packets are forwarded as normal in process block 456 . Otherwise, as determined by process block 457 , if the current rate-limiting state is the out-of-profile leak state 410 , the packet is sampled (e.g., the packet itself or a copy thereof is forwarded to a processing mechanism) or the packet is rate-limited of a first type in process block 458 .
  • one or more packets are selected for snooping (e.g., forwarding copies of the packet both normally and to a processing mechanism, such as, but not limited to allowing the selected traffic to be analyzed without affecting the normal flow of the packet stream). Otherwise, the packet is rate-limited of a second type (as the state is the out-of-profile rate-limiting state) in process block 459 . Note, in one embodiment, all traffic for the packet stream is forwarded, which may be particularly useful when the packets are snooped when in the out-of-profile leak state. Processing returns to process block 452 to receive and process the next packet.
  • FIGS. 5A-C illustrate the operation of one embodiment that uses multiple rate-limiting states including an out-of-profile leak state in rate limiting of traffic.
  • This embodiment operates in a manner similar to that illustrated in FIGS. 4A-C , but also includes a burst rate to rate-limit the traffic in sub-time periods of the overall time period, which possibly has the effect of reducing the overall burstiness of the rate limiting of a classification of packet traffic.
  • the rate-limiting mechanism includes at least the three states of in-profile forwarding state 500 , out-of-profile leak state 510 , and out-of-profile rate-limiting state 520 .
  • each packet classification is allocated a number of main tokens corresponding to its authorized rate each time period (e.g., the current token value is reset to this value at the expiration of the measuring period), as well as a number of burst tokens corresponding to its authorized rate each burst time period within the main time period.
  • the current number of burst and main tokens are reduced by the number of packets or bytes thereof processed during the current burst and main time periods.
  • the current rate-limiting state transitions ( 515 ) to out-of-profile leak state 510 , or if the burst number of tokens becomes non-positive, the current rate-limiting state transitions ( 523 ) to out-of-profile rate-limiting state 520 .
  • the current rate-limiting state transitions ( 517 ) to out-of-profile rate-limiting state 520 .
  • the current rate-limiting state transitions ( 525 ) to out-of-profile leak state 510 .
  • the current rate-limiting state transitions ( 507 , 509 ) to in-profile forwarding state 500 .
  • FIG. 5B illustrates a process used in one embodiment for resetting the number of main and burst tokens in a rate limiter. Processing begins with process block 530 , and proceeds to process block 532 , wherein the number of mains tokens is initialized to a value based on the allowed rate for the corresponding classification of traffic. In process block 534 , the number of burst tokens is initialized to a value based on the allowed rate for the corresponding classification of traffic within the burst period.
  • process block 535 When the timer expires as determined in process block 535 , then as determined in process block 537 , if the main time period is not expired (e.g., a count of the number of burst periods within the current main time period does not equal the total number of burst periods within the current main time period), then in process block 534 , only the number of burst tokens is initialized. Otherwise, processing returns to process block 532 to initialize the number of main tokens and then to process block 534 to initialize the number of burst tokens.
  • the main time period e.g., a count of the number of burst periods within the current main time period does not equal the total number of burst periods within the current main time period
  • FIG. 5C illustrates a process used in one embodiment for rate-limiting traffic. Processing begins with process block 550 .
  • process block 552 a packet is received (and classified if the corresponding rate-limiter needs to be identified).
  • process block 554 the number of main tokens and number of burst tokens are decreased (e.g., by one, by the number of bytes in the packet, or by some other amount corresponding to an amount of traffic).
  • process block 555 if the current rate-limiting state is the in-profile forwarding state, then packets are forwarded as normal in process block 556 .
  • the packet is sampled (e.g., the packet itself or a copy thereof is forwarded to a processing mechanism) or the packet is rate-limited of a first type in process block 558 .
  • one or more packets are selected for snooping (e.g., forwarding copies of the packet both normally and to a processing mechanism, such as, but not limited to allowing the selected traffic to be analyzed without affecting the normal flow of the packet stream).
  • the packet is rate-limited of a second type (as the state is the out-of-profile rate-limiting state) in process block 559 .
  • all traffic for the packet stream is forwarded, which may be particularly useful when the packets are snooped when in the out-of-profile leak state. Processing returns to process block 552 to receive and process the next packet.
  • FIG. 6 illustrates a process used in one embodiment for analyzing sampled rate-limited traffic and reacting to identified conditions. Processing begins with process block 600 , and proceeds to process block 602 , wherein one or more sampled packets are analyzed, such as, but not limited to identifying whether or not a threat condition exists. Identifying threat conditions is well-understood in the art and the approach and exact analysis performed on the data points (i.e., on the sampled packets according to an embodiment) is dependent on the configuration of the system.
  • process block 605 If a threat condition is identified, as indicated by process block 605 , then in response to the identified threat condition, defensive action is taken in process block 606 to reduce said identified threat condition, such as, but not limited to, adjusting rates or threshold values for the transition(s) between one or more rate-limiting states, installing access control list entries, adjusting other values and/or mechanisms to affect the flow of traffic related to the identified condition. Processing is returned to process block 602 to analyze more sampled packets.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Out-of-profile rate-limited traffic is sampled to provide data for analysis, such as for, but not limited to, identifying a threat condition such as a denial-of-service or other malicious attack, or a non-malicious attack such as an error in configuration. A rate limiter including at least three states is typically used, with one of these states being an out-of-profile sampling state wherein the packet traffic is sampled to identify one or more sampled packets on which analysis can be performed, with defensive action possibly taken in response to the analysis.

Description

TECHNICAL FIELD
One embodiment of the invention relates to communications and computer systems, especially routers, packet switching systems, and other devices; and more particularly, one embodiment relates to sampling rate-limited traffic, such as, but not limited to a rate limiter with at least three rate-limiting states including an out-of-profile leak state wherein packets are sampled.
BACKGROUND
The communications industry is rapidly changing to adjust to emerging technologies and ever increasing customer demand. This customer demand for new applications and increased performance of existing applications is driving communications network and system providers to employ networks and systems having greater speed and capacity (e.g., greater bandwidth). In trying to achieve these goals, a common approach taken by many communications providers is to use packet switching technology. Increasingly, public and private communications networks are being built and expanded using various packet technologies, such as Internet Protocol (IP). Note, nothing described or referenced in this document is admitted as prior art to this application unless explicitly so stated.
Traffic rate-limiting mechanisms are used to ensure packet traffic conforms to certain predetermined rates. These can be used to protect systems from attacks (e.g., denial-of-service) and to ensure packet traffic conforms to subscribed rates.
Traditional rate limiters are implemented with two rate-limiting states. FIG. 1A illustrates one such prior approach wherein when a rate limiter is in an in-profile forwarding state 100, packets are forwarded normally. In response to the rate exceeding threshold value, the state of the rate limiter switches to an out-of-profile rate-limiting state 102, wherein packets are rate-limited, such as, but not limited to being dropped or redirected to another location or processor. When the rate drops below the threshold (e.g., the rate over time decreases or a new measuring time period commences), the state switches back to in-profile forwarding state 100.
FIG. 1B illustrates a prior art system using a rate limiter for limiting multiple different types and/or streams of traffic. Packets are first classified by classification mechanism 110 (e.g., an associative memory such as a ternary content-addressable memory) to identifying which set of rate-limiting parameters to use. Rate-limiting mechanism 112 retrieves the corresponding parameters 114 based on the rate-limiter indication and performs the appropriative forwarding or rate-limiting operation based on its current state as illustrated by and described in relation to FIG. 1A. Clock or timer 116 provides the timing references as the current rate of a classification of traffic is determined based on a number of packets received in a given time period or over time.
A problem with these prior art rate-limiting systems is that they provide minimal information about the traffic (e.g., statistics of the number of packets dropped) or they redirect all the out-of-profile packets to a processing mechanism, which can be overwhelmed by the number of packets.
SUMMARY
Disclosed are, inter alia, methods, apparatus, data structures, computer-readable media, mechanisms, and means for sampling rate-limited traffic, such as, but not limited to a rate limiter with at least three rate-limiting states including an out-of-profile leak state wherein packets are sampled.
One embodiment that rate limits and samples rate-limited packet traffic maintains a representation of a current rate of packet traffic. The current rate corresponds to one of multiple rate-limiting states, which include an in-profile forwarding state corresponding to the current rate of packet traffic being below a first threshold, an out-of-profile leak state corresponding to the current rate of traffic being above the first threshold and below a second threshold, and an out-of-profile rate-limiting state corresponding to the current rate of traffic being above the second threshold. Packets are rate-limited (i.e., throttled or not throttled) according to the rate-limiting state corresponding to the current rate of packet traffic, wherein packets are forwarded normally during the in-profile forwarding state, one or more of the packets are selected during the out-of-profile leak state such that said selected packets are forwarded to a processing mechanism for processing said selected packets while any non-selected packets during the out-of-profile leak state are rate-limited of a first type, and packets during the out-of-profile rate-limiting state are rate-limited of a second type.
In one embodiment, exactly one packet is selected during the out-of-profile leak state. In one embodiment, multiple particular packets are selected during the out-of-profile leak state, with these particular packets including at least two consecutively received packets. In one embodiment, rate limiting of the first type causes the packets to be dropped and said rate limiting of the second type causes the packets to be dropped. In one embodiment, the processing mechanism identifies a threat condition based on one or more of said selected packets, and in response to said identified threat condition, defensive action is taken to reduce said identified threat condition. In one embodiment, the defensive action includes adjusting at least one of the first or second thresholds.
BRIEF DESCRIPTION OF THE DRAWINGS
The appended claims set forth the features of the invention with particularity. The invention, together with its advantages, may be best understood from the following detailed description taken in conjunction with the accompanying drawings of which:
FIGS. 1A-B are block diagrams illustrating prior approaches for rate-limiting of traffic;
FIG. 2 is a block diagram illustrating multiple rate-limiting states including an out-of-profile leak state used in one embodiment;
FIG. 3A is a block diagram of a system that samples rate-limited traffic, analyzes these samples, and reacts to identified conditions;
FIG. 3B is block diagram of a system or component used in one embodiment;
FIGS. 4A-C illustrate the operation of one embodiment that uses multiple rate-limiting states including an out-of-profile leak state in rate limiting of traffic;
FIGS. 5A-C illustrate the operation of one embodiment that uses multiple rate-limiting states including an out-of-profile leak state in rate limiting of traffic; and
FIG. 6 illustrates a process used in one embodiment for analyzing sampled rate-limited traffic and reacting to identified conditions.
DETAILED DESCRIPTION
Disclosed are, inter alia, methods, apparatus, data structures, computer-readable media, mechanisms, and means for sampling rate-limited traffic, such as, but not limited to a rate limiter with at least three rate-limiting states including an out-of-profile leak state wherein packets are sampled.
Note, embodiments described herein include various elements and limitations, with no one element or limitation contemplated as being a critical element or limitation. Each of the claims individually recites an aspect of the invention in its entirety. Moreover, some embodiments described may include, but are not limited to, inter alia, systems, networks, integrated circuit chips, embedded processors, ASICs, methods, and computer-readable media containing instructions. One or multiple systems, devices, components, etc. may comprise one or more embodiments, which may include some elements or limitations of a claim being performed by the same or different systems, devices, components, etc. The embodiments described hereinafter embody various aspects and configurations within the scope and spirit of the invention, with the figures illustrating exemplary and non-limiting configurations. Note, computer-readable media and means for performing methods and processing block operations are disclosed and are in keeping with the extensible scope and spirit of the invention.
As used herein, the term “packet” refers to packets of all types or any other units of information or data, including, but not limited to, fixed length cells and variable length packets, each of which may or may not be divisible into smaller packets or cells. The term “packet” as used herein also refers to both the packet itself or a packet indication, such as, but not limited to all or part of a packet or packet header, a data structure value, pointer or index, or any other part or direct or indirect identification of a packet or information associated therewith. For example, often times a router operates on one or more fields of a packet, especially the header, so the body of the packet is often stored in a separate memory while the packet header is manipulated, and based on the results of the processing of the packet (i.e., the packet header in this example), the entire packet is forwarded or dropped, etc. Additionally, these packets may contain one or more types of information, including, but not limited to, voice, data, video, and audio information. The term “item” is used generically herein to refer to a packet or any other unit or piece of information or data, a device, component, element, or any other entity. The phrases “processing a packet” and “packet processing” typically refer to performing some steps or actions based on the packet contents (e.g., packet header or other fields), and such steps or action may or may not include modifying, storing, dropping, and/or forwarding the packet and/or associated data. The term or reference to “dropping” a packet or a variant thereof (e.g., drop the packet, the packet is dropped, etc.) is used herein to identify the physical dropping of the packet, causing the packet to be dropped, and/or marking or distinguishing the packet for subsequent dropping or potentially different processing (e.g., a higher probability of being dropped by subsequent processing, Early Congestion Notification marking, etc.) than that of an “admitted” packet.
The term “system” is used generically herein to describe any number of components, elements, sub-systems, devices, packet switch elements, packet switches, routers, networks, computer and/or communication devices or mechanisms, or combinations of components thereof. The term “computer” is used generically herein to describe any number of computers, including, but not limited to personal computers, embedded processing elements and systems, control logic, ASICs, chips, workstations, mainframes, etc. The term “processing element” is used generically herein to describe any type of processing mechanism or device, such as a processor, ASIC, field programmable gate array, computer, etc. The term “device” is used generically herein to describe any type of mechanism, including a computer or system or component thereof. The terms “task” and “process” are used generically herein to describe any type of running program, including, but not limited to a computer process, task, thread, executing application, operating system, user process, device driver, native code, machine or other language, etc., and can be interactive and/or non-interactive, executing locally and/or remotely, executing in foreground and/or background, executing in the user and/or operating system address spaces, a routine of a library and/or standalone application, and is not limited to any particular memory partitioning technique. The steps, connections, and processing of signals and information illustrated in the figures, including, but not limited to any block and flow diagrams and message sequence charts, may typically be performed in the same or in a different serial or parallel ordering and/or by different components and/or processes, threads, etc., and/or over different connections and be combined with other functions in other embodiments, unless this disables the embodiment or a sequence is explicitly or implicitly required (e.g., for a sequence of read the value, process the value—the value must be obtained prior to processing it, although some of the associated processing may be performed prior to, concurrently with, and/or after the read operation). Furthermore, the term “identify” is used generically to describe any manner or mechanism for directly or indirectly ascertaining something, which may include, but is not limited to receiving, retrieving from memory, determining, defining, calculating, generating, etc.
Moreover, the terms “network” and “communications mechanism” are used generically herein to describe one or more networks, communications media or communications systems, including, but not limited to the Internet, private or public telephone, cellular, wireless, satellite, cable, local area, metropolitan area and/or wide area networks, a cable, electrical connection, bus, etc., and internal communications mechanisms such as message passing, interprocess communications, shared memory, etc. The term “message” is used generically herein to describe a piece of information which may or may not be, but is typically communicated via one or more communication mechanisms of any type.
The term “storage mechanism” includes any type of memory, storage device or other mechanism for maintaining instructions or data in any format. “Computer-readable medium” is an extensible term including any memory, storage device, storage mechanism, and other storage mechanisms. The term “memory” includes any random access memory (RAM), read only memory (ROM), flash memory, integrated circuits, and/or other memory components or elements. The term “storage device” includes any solid state storage media, disk drives, diskettes, networked services, tape drives, and other storage devices. Memories and storage devices may store computer-executable instructions to be executed by a processing element and/or control logic, and data which is manipulated by a processing element and/or control logic. The term “data structure” is an extensible term referring to any data element, variable, data structure, database, and/or one or more organizational schemes that can be applied to data to facilitate interpreting the data or performing operations on it, such as, but not limited to memory locations or devices, sets, queues, trees, heaps, lists, linked lists, arrays, tables, pointers, etc. A data structure is typically maintained in a storage mechanism. The terms “pointer” and “link” are used generically herein to identify some mechanism for referencing or identifying another element, component, or other entity, and these may include, but are not limited to a reference to a memory or other storage mechanism or location therein, an index in a data structure, a value, etc.
The term “one embodiment” is used herein to reference a particular embodiment, wherein each reference to “one embodiment” may refer to a different embodiment, and the use of the term repeatedly herein in describing associated features, elements and/or limitations does not establish a cumulative set of associated features, elements and/or limitations that each and every embodiment must include, although an embodiment typically may include all these features, elements and/or limitations. In addition, the phrase “means for xxx” typically includes computer-readable medium containing computer-executable instructions for performing xxx.
In addition, the terms “first,” “second,” etc. are typically used herein to denote different units (e.g., a first element, a second element). The use of these terms herein does not necessarily connote an ordering such as one unit or event occurring or coming before another, but rather provides a mechanism to distinguish between particular units. Additionally, the use of a singular tense of a noun is non-limiting, with its use typically including one or more of the particular thing rather than just one (e.g., the use of the word “memory” typically refers to one or more memories without having to specify “memory or memories,” or “one or more memories” or “at least one memory”, etc.). Moreover, the phrases “based on x” and “in response to x” are used to indicate a minimum set of items “x” from which something is derived or caused, wherein “x” is extensible and does not necessarily describe a complete list of items on which the operation is performed, etc. Additionally, the phrase “coupled to” is used to indicate some level of direct or indirect connection between two elements or devices, with the coupling device or devices modifying or not modifying the coupled signal or communicated information. The term “subset” is used to indicate a group of all or less than all of the elements of a set. The term “subtree” is used to indicate all or less than all of a tree. Moreover, the term “or” is used herein to identify a selection of one or more, including all, of the conjunctive items. Additionally, the transitional term “comprising,” which is synonymous with “including,” “containing,” or “characterized by,” is inclusive or open-ended and does not exclude additional, unrecited elements or method steps.
Disclosed are, inter alia, methods, apparatus, data structures, computer-readable media, mechanisms, and means for sampling rate-limited traffic, such as, but not limited to a rate limiter with at least three rate-limiting states including an out-of-profile leak state wherein packets are sampled.
One embodiment for rate limiting and sampling rate limited packets includes: maintaining a representation of a current rate of packet traffic for a classification of traffic, the current rate corresponding to one of a plurality of rate limiting states, the plurality of rate limiting states including an in profile forwarding state corresponding to the current rate of packet traffic being below a first threshold, an out of profile leak state corresponding to the current rate of traffic being above the first threshold and below a second threshold, and an out of profile rate limiting state corresponding to the current rate of traffic being above the second threshold; and rate limiting packets of said packet traffic according to said rate limiting state corresponding to the current rate of packet traffic, wherein packets are forwarded normally during the in profile forwarding state, one or more of the packets are selected during the out of profile leak state such that said selected packets are forwarded to a processing mechanism for processing said selected packets while any non selected packets during the out of profile leak state are rate-limited of a first type, and packets during the out of profile rate limiting state are rate-limited of a second type.
In one embodiment, wherein exactly one packet is selected during the out of profile leak state. In one embodiment, a plurality of particular packets are selected during the out of profile leak state, said particular packets including at least two consecutively received packets. In one embodiment, said rate limiting of the first type causes the packets to be dropped and said rate limiting of the second type causes the packets to be dropped. In one embodiment, the processing mechanism identifies a threat condition based on one or more of said selected packets, and in response to said identified threat condition, defensive action is taken to reduce said identified threat condition. In one embodiment, said defensive action includes adjusting at least one of the first or second thresholds. In one embodiment, exactly one packet is selected during the out of profile leak state. In one embodiment, a plurality of particular packets are selected during the out of profile leak state, said particular packets including at least two consecutively received packets. In one embodiment, said defensive action includes installing an access control list entry in an access control list being applied to said packet traffic to counter said identified threat condition.
One embodiment includes: a classification mechanism for classifying packet traffic into a plurality of classified packet traffic flows; a rate limiter configured to rate limit traffic of said classified packet traffic flows according to a current rate limiting state of a plurality of rate limiting states identified based on a current rate of packet traffic for, the plurality of rate limiting states including an in profile forwarding state, an out of profile leak state, and an out of profile rate limiting state; wherein said rate limiting of traffic according to the current rate limiting state includes forwarding packets normally during the in profile forwarding state, sampling packets during the out of profile leak state such that said sampled packets are forwarded to a processing mechanism while non sampled packets during the out of profile leak state are rate-limited of a first type, and packets during the out of profile rate limiting state are rate-limited of a second type.
One embodiment comprises the processing mechanism configured for analyzing leaked packets and to reacting to identified conditions based on an analysis of said leaked packets. In one embodiment, said reacting to identified conditions includes adjusting a rate threshold defining said in profile forwarding state. In one embodiment, the current rate limiting state transitions from the in profile forwarding state to the out of profile leak state and then to the out of profile rate limiting state. In one embodiment, the current rate limiting state transitions from the out of profile leak state to the out of profile rate limiting state in response to achieving a predetermined number of packets.
One embodiment includes: means for identifying a current rate limiting state of a plurality of rate limiting states for a classification of traffic, the plurality of rate limiting states including an in profile forwarding state, an out of profile leak state, and an out of profile rate limiting state; and means for rate limiting packets of said packet traffic according to said rate limiting state, wherein packets are forwarded normally during the in profile forwarding state, one or more of the packets are selected during the out of profile leak state such that said selected packets are forwarded to a processing mechanism for processing said selected packets while any non selected packets during the out of profile leak state are rate-limited of a first type, and packets during the out of profile rate limiting state are rate-limited of a second type.
One embodiment includes means for performing defensive action; wherein the processing mechanism is configured to identify a threat condition based on one or more of said selected packets, and said means for performing defensive action is responsive to said identifying the threat condition by the processing mechanism. In one embodiment, exactly one packet is selected during the out of profile leak state. In one embodiment, a plurality of particular packets are selected during the out of profile leak state, said particular packets including at least two consecutively received packets. In one embodiment, said means for identifying a current rate limiting state includes means for identifying a current rate of packet traffic. In one embodiment, said means for identifying a current rate of packet traffic includes means for updating a token value. In one embodiment, said means for identifying a current rate of packet traffic includes means for updating a main token value and a burst token value.
One embodiment of rate limiting and sampling rate limited packet traffic includes: maintaining a representation of a current rate of packet traffic for a classification of traffic, the current rate corresponding to one of a plurality of rate limiting states, the plurality of rate limiting states including an in profile forwarding state corresponding to the current rate of packet traffic being below a first threshold, an out of profile leak state corresponding to the current rate of traffic being above the first threshold and below a second threshold, and an out of profile rate limiting state corresponding to the current rate of traffic being above the second threshold; and rate limiting packets of said packet traffic according to said rate limiting state corresponding to the current rate of packet traffic, wherein packets are forwarded normally during the in profile forwarding state, one or more of the packets are selected during the out of profile leak state such that said selected packets are both forwarded normally and sent to a processing mechanism for processing, and packets during the out of profile rate limiting state are forwarded normally or rate-limited of a second type.
In one embodiment, all packet are selected during the out of profile leak state. In one embodiment, packets are not forwarded normally during the out of profile rate limiting state.
FIG. 2 is a block diagram illustrating multiple rate-limiting states including an out-of-profile leak state used in one embodiment. As shown, the rate limiter is in in-profile forwarding state 200 when the traffic conforms to its predetermined rate. Traffic is typically forwarded normally when the rate limiter is in in-profile forwarding state 200. When the rate exceeds a first predetermined threshold rate (205), the current state of the rate limiter changes to out-of-profile leak state 210. While the rate limiter is in out-of-profile leak state 210, packets are sampled (also referred to as packets being “leaked”) and redirected to a particular destination, such as, but not limited to a processing mechanism (e.g., a system that analyzes the sampled packets and/or logs the sampled packets and/or performs some other function). This sampling of packets may include only redirecting the packet, or redirecting the packet as well as forwarding the packet normally, i.e., in other words, the packet (or a copy thereof) is both forwarded as normal and redirected or otherwise forwarded to a processing mechanism. After the rate exceeds a second predetermined threshold (which includes a predetermined number of packets received during the out-of-profile leak state 210) or the sampling period expires, the state changes (215) to out-of-profile rate-limiting state 220, in which packets are typically dropped or redirected to another destination (i.e., the packets are typically not forwarded normally). The state of the rate limiter transitions (207, 209) back to in-profile forwarding state 200 in response to the rate dropping below the first threshold (e.g., the rate over time decreases or a new measuring time period commences).
Note, one embodiment provides a programmable type of rate limiting for each of the rate-limiting states, with these programmable types of rate limiting including, but not limited to forwarding as normal, redirect (e.g., forward to a specified destination), drop, forward and snoop (e.g., forward as well as provide a copy to another destination), redirect and snoop, and drop and snoop.
FIG. 3A is a block diagram of a system that samples rate-limited traffic, analyzes these samples, and reacts to identified conditions. A packet 300 is received and then is classified by classification mechanism 306 to identify which rate limiter the packet corresponds (specified by rate-limiter indication 307). Note, the term “rate limiter” refers to a rate-limiting mechanism with corresponding rate-limiting parameters and/or the measured and/or approximated current traffic rate for a particular classification of packets.
Rate-limiting mechanism 312 retrieves for the corresponding rate-limiting parameters, current traffic rate, and/or current rate-limiting state (314) based on rate-limiter indication 307, and rate limits the corresponding packet 309 accordingly. The exact retrieved information depends on the embodiment. For example, one embodiment maintains a current token value and one or more threshold values for each classification of packets in memory or registers 314, which allows rate-limiting mechanism to readily identify the current rate-limiting state. In one embodiment, mechanism 314 maintains these values and merely provides rate-limiting mechanism the current rate-limiting state corresponding to the packet 309 to be rate limited. In one embodiment, rate-limiting mechanism is responsive to clock or timer 316, as a rate is a function of time. For example, one embodiment represents the measurement of the current rate as a current number of tokens in a current time period, with the tokens being re-initialized every expiration of the time period. In one embodiment, the number of packets or bytes thereof are maintained with a calculation performed based on a time duration to identify the current packet rate. In one embodiment, the number of packets or bytes thereof are maintained and are aged over time.
Rate-limiting mechanism 312 rate-limits (e.g., forwards normally, drops, redirects, etc.) (315) packet 309 according to the current rate-limiting state. In one embodiment, sampled packets during the out-of-profile leak state are redirected (317) to processing mechanism 320, which analyzes these sampled packets. If a condition is detected, such as a denial-of-service attack or other offensive condition (whether malicious or not), processing mechanism 320 may initiate a reaction (323) to such identified condition to modify the operation of rate-limiting mechanism, such as to modify its transition between states for the corresponding packet classification (and possibly others) such that the offending traffic can be further reduced (e.g., dropped, redirected) such that it does not proceed downstream.
FIG. 3B is block diagram of a system or component 340 used in one embodiment for maintaining performing class-based bandwidth partitioning. In one embodiment, system or component 340 performs one or more processes corresponding to one of the flow diagrams or pseudo code illustrated or otherwise described herein.
In one embodiment, system or component 340 includes a processing element 341, memory 342, storage devices 343, and an interface 344 for sending and receiving packets and/or communicating with external devices (e.g. one or more memories and/or classification/lookup mechanisms), which are typically communicatively coupled via one or more communications mechanisms 349, with the communications paths typically tailored to meet the needs of the application.
Various embodiments of component 340 may include more or less elements. The operation of component 340 is typically controlled by processing element 341 using memory 342 and storage devices 343 to perform one or more tasks or processes. Memory 342 is one type of computer-readable medium, and typically comprises random access memory (RAM), read only memory (ROM), flash memory, integrated circuits, and/or other memory components. Memory 342 typically stores computer-executable instructions to be executed by processing element 341 and/or data which is manipulated by processing element 341 for implementing functionality in accordance with an embodiment. Storage devices 343 are another type of computer-readable medium, and typically comprise solid state storage media, disk drives, diskettes, networked services, tape drives, and other storage devices. Storage devices 343 typically store computer-executable instructions to be executed by processing element 341 and/or data which is manipulated by processing element 341 for implementing functionality in accordance with an embodiment.
FIGS. 4A-C illustrate the operation of one embodiment that uses multiple rate-limiting states including an out-of-profile leak state in rate limiting of traffic. Note, the state diagram illustrated in FIG. 4A illustrates one embodiment of the state diagram illustrated in FIG. 2, wherein FIG. 4A specifically refers to tokens. As shown in FIG. 4A, the rate-limiting mechanism includes at least the three states of in-profile forwarding state 400, out-of-profile leak state 410, and out-of-profile rate-limiting state 420. In one embodiment, each packet classification is allocated a number of tokens corresponding to its authorized rate each time period (e.g., the current token value is reset to this value at the expiration of the measuring period). The current number of tokens is reduced by the number of packets or bytes thereof processed during the current time period. When the number of tokens becomes non-positive, the current rate-limiting state transitions (415) to out-of-profile leak state 410. When the sampling period expires (e.g., after sampling a predetermined number of packets such as one packet, after sampling at least two consecutive packets, after sampling a predetermined number of packets such as sampling one packet every nth packet received during the out-of-profile leak state (410), the current rate-limiting state transitions (417) to out-of-profile rate-limiting state 420. When the number of tokens is reset or otherwise becomes positive, the current rate-limiting state transitions (407, 409) to in-profile forwarding state 400.
FIG. 4B illustrates a process used in one embodiment for resetting the number of tokens in a rate limiter. Processing begins with process block 430, and proceeds to process block 432, wherein the number of tokens is initialized to a value based on the allowed rate for the corresponding classification of traffic. When the timer expires as determined by process block 435, processing returns to process block 432 to reset the number of tokens.
FIG. 4C illustrates a process used in one embodiment for rate-limiting traffic. Processing begins with process block 450. In process block 452, a packet is received (and classified if the corresponding rate-limiter needs to be identified). Note, as one skilled in the art would clearly understand, a packet is classified typically by extracting one or more fields from the packet and then performing a lookup operation using this value as a search key in order to generate a classification indication corresponding to the packet.
In process block 454, the number of tokens is decreased (e.g., by one, by the number of bytes in the packet, or by some other amount corresponding to an amount of traffic). As determined in process block 455, if the current rate-limiting state identified based on the current number of tokens (for the current rate time period) is the in-profile forwarding state, then packets are forwarded as normal in process block 456. Otherwise, as determined by process block 457, if the current rate-limiting state is the out-of-profile leak state 410, the packet is sampled (e.g., the packet itself or a copy thereof is forwarded to a processing mechanism) or the packet is rate-limited of a first type in process block 458. Note, in one embodiment, one or more packets (and possibly all packets) are selected for snooping (e.g., forwarding copies of the packet both normally and to a processing mechanism, such as, but not limited to allowing the selected traffic to be analyzed without affecting the normal flow of the packet stream). Otherwise, the packet is rate-limited of a second type (as the state is the out-of-profile rate-limiting state) in process block 459. Note, in one embodiment, all traffic for the packet stream is forwarded, which may be particularly useful when the packets are snooped when in the out-of-profile leak state. Processing returns to process block 452 to receive and process the next packet.
FIGS. 5A-C illustrate the operation of one embodiment that uses multiple rate-limiting states including an out-of-profile leak state in rate limiting of traffic. This embodiment operates in a manner similar to that illustrated in FIGS. 4A-C, but also includes a burst rate to rate-limit the traffic in sub-time periods of the overall time period, which possibly has the effect of reducing the overall burstiness of the rate limiting of a classification of packet traffic.
As shown in FIG. 5A, the rate-limiting mechanism includes at least the three states of in-profile forwarding state 500, out-of-profile leak state 510, and out-of-profile rate-limiting state 520. In one embodiment, each packet classification is allocated a number of main tokens corresponding to its authorized rate each time period (e.g., the current token value is reset to this value at the expiration of the measuring period), as well as a number of burst tokens corresponding to its authorized rate each burst time period within the main time period. The current number of burst and main tokens are reduced by the number of packets or bytes thereof processed during the current burst and main time periods.
When the number of main tokens becomes non-positive, the current rate-limiting state transitions (515) to out-of-profile leak state 510, or if the burst number of tokens becomes non-positive, the current rate-limiting state transitions (523) to out-of-profile rate-limiting state 520. When in the out-of-profile leak state 510, in response to the sampling period expiring (e.g., after sampling a predetermined number of packets such as one packet, after sampling at least two consecutive packets, after sampling a predetermined number of packets such as sampling one packet every nth packet received during the out-of-profile leak state (510), the current rate-limiting state transitions (517) to out-of-profile rate-limiting state 520. When in the out-of-profile rate-limiting state 520, if the number of main tokens becomes non-negative (e.g., in the case where you were burst limited and then the main number of tokens became non-negative), the current rate-limiting state transitions (525) to out-of-profile leak state 510. When in the out-of-profile leak state 510 or in the out-of-profile rate-limiting state 520, if the number of burst tokens and the number of main tokens are both greater than zero, then the current rate-limiting state transitions (507, 509) to in-profile forwarding state 500.
FIG. 5B illustrates a process used in one embodiment for resetting the number of main and burst tokens in a rate limiter. Processing begins with process block 530, and proceeds to process block 532, wherein the number of mains tokens is initialized to a value based on the allowed rate for the corresponding classification of traffic. In process block 534, the number of burst tokens is initialized to a value based on the allowed rate for the corresponding classification of traffic within the burst period. When the timer expires as determined in process block 535, then as determined in process block 537, if the main time period is not expired (e.g., a count of the number of burst periods within the current main time period does not equal the total number of burst periods within the current main time period), then in process block 534, only the number of burst tokens is initialized. Otherwise, processing returns to process block 532 to initialize the number of main tokens and then to process block 534 to initialize the number of burst tokens.
FIG. 5C illustrates a process used in one embodiment for rate-limiting traffic. Processing begins with process block 550. In process block 552, a packet is received (and classified if the corresponding rate-limiter needs to be identified). In process block 554, the number of main tokens and number of burst tokens are decreased (e.g., by one, by the number of bytes in the packet, or by some other amount corresponding to an amount of traffic). As determined in process block 555, if the current rate-limiting state is the in-profile forwarding state, then packets are forwarded as normal in process block 556. Otherwise, as determined by process block 557, if the current rate-limiting state is the out-of-profile leak state 510, the packet is sampled (e.g., the packet itself or a copy thereof is forwarded to a processing mechanism) or the packet is rate-limited of a first type in process block 558. Note, in one embodiment, one or more packets (and possibly all packets) are selected for snooping (e.g., forwarding copies of the packet both normally and to a processing mechanism, such as, but not limited to allowing the selected traffic to be analyzed without affecting the normal flow of the packet stream). Otherwise, the packet is rate-limited of a second type (as the state is the out-of-profile rate-limiting state) in process block 559. Note, in one embodiment, all traffic for the packet stream is forwarded, which may be particularly useful when the packets are snooped when in the out-of-profile leak state. Processing returns to process block 552 to receive and process the next packet.
FIG. 6 illustrates a process used in one embodiment for analyzing sampled rate-limited traffic and reacting to identified conditions. Processing begins with process block 600, and proceeds to process block 602, wherein one or more sampled packets are analyzed, such as, but not limited to identifying whether or not a threat condition exists. Identifying threat conditions is well-understood in the art and the approach and exact analysis performed on the data points (i.e., on the sampled packets according to an embodiment) is dependent on the configuration of the system. If a threat condition is identified, as indicated by process block 605, then in response to the identified threat condition, defensive action is taken in process block 606 to reduce said identified threat condition, such as, but not limited to, adjusting rates or threshold values for the transition(s) between one or more rate-limiting states, installing access control list entries, adjusting other values and/or mechanisms to affect the flow of traffic related to the identified condition. Processing is returned to process block 602 to analyze more sampled packets.
In view of the many possible embodiments to which the principles of our invention may be applied, it will be appreciated that the embodiments and aspects thereof described herein with respect to the drawings/figures are only illustrative and should not be taken as limiting the scope of the invention. For example, and as would be apparent to one skilled in the art, many of the process block operations can be re-ordered to be performed before, after, or substantially concurrent with other operations. Also, many different forms of data structures could be used in various embodiments. The invention as described herein contemplates all such embodiments as may come within the scope of the following claims and equivalents thereof.

Claims (24)

1. A method of rate-limiting and sampling rate-limited packets, the method comprising:
identifying a current rate of packet traffic for a classification of traffic, the current rate corresponding to one of a plurality of rate-limiting states, the plurality of rate-limiting states including an in-profile forwarding state corresponding to the current rate of packet traffic being below a first threshold, an out-of-profile leak state corresponding to the current rate of traffic being above the first threshold and below a second threshold, and an out-of-profile rate-limiting state corresponding to the current rate of traffic being above the second threshold; and
rate-limiting packets of said packet traffic according to said rate-limiting state corresponding to the current rate of packet traffic, wherein packets are forwarded normally during the in-profile forwarding state, one or more of the packets are selected during the out-of-profile leak state such that said selected packets are forwarded to a processing mechanism for processing said selected packets in order to analyze said selected packets to determine whether or not to modify said rate-liming packets of said packet traffic while a plurality of non-selected packets during the out-of-profile leak state are rate-limited of a first type, and packets during the out-of-profile rate-limiting state are rate-limited of a second type.
2. The method of claim 1, wherein exactly one packet is selected during the out-of-profile leak state.
3. The method of claim 1, wherein a plurality of particular packets are selected during the out-of-profile leak state, said particular packets including at least two consecutively received packets.
4. The method of claim 1, wherein said rate limiting of the first type causes the packets to be dropped and said rate limiting of the second type causes the packets to be dropped.
5. The method of claim 1, wherein the processing mechanism identifies a threat condition based on one or more of said selected packets, and in response to said identified threat condition, defensive action is taken to reduce said identified threat condition.
6. The method of claim 5, wherein said defensive action includes adjusting at least one of the first or second thresholds.
7. The method of claim 6, wherein exactly one packet is selected during the out-of-profile leak state.
8. The method of claim 6, wherein a plurality of particular packets are selected during the out-of-profile leak state, said particular packets including at least two consecutively received packets.
9. The method of claim 5, wherein said defensive action includes installing an access control list entry in an access control list being applied to said packet traffic to counter said identified threat condition.
10. An apparatus, comprising:
a classification mechanism for classifying packet traffic into a plurality of classified packet traffic flows;
a rate-limiter configured to rate limit traffic of said classified packet traffic flows according to a current rate-limiting state of a plurality of rate-limiting states identified based on a current rate of packet traffic, the plurality of rate-limiting states including an in-profile forwarding state, an out-of-profile leak state, and an out-of-profile rate-limiting state;
wherein said rate limiting of traffic according to the current rate-limiting state includes forwarding packets normally during the in-profile forwarding state, sampling one or more packets during the out-of-profile leak state such that said sampled packets are forwarded to a processing mechanism for analyzing said sampled packets to determine whether or not to modify said rate liming of traffic while a plurality of non-sampled packets during the out-of-profile leak state are rate-limited of a first type, and packets during the out-of-profile rate-limiting state are rate-limited of a second type.
11. The apparatus of claim 10, comprising the processing mechanism configured for analyzing leaked packets and to reacting to identified conditions based on an analysis of said leaked packets.
12. The apparatus of claim 11, wherein said reacting to identified conditions includes adjusting a rate threshold defining said in-profile forwarding state.
13. The apparatus of claim 10, wherein the current rate-limiting state transitions from the in-profile forwarding state to the out-of-profile leak state and then to the out-of-profile rate-limiting state.
14. The apparatus of claim 13, wherein the current rate-limiting state transitions from the out-of-profile leak state to the out-of-profile rate-limiting state in response to receiving a predetermined number of packets while in the out-of-profile leak state.
15. An apparatus, comprising:
means for identifying a current rate-limiting state of a plurality of rate-limiting states for a classification of traffic, the plurality of rate-limiting states including an in-profile forwarding state, an out-of-profile leak state, and an out-of-profile rate-limiting state; and
means for rate-limiting packets of said packet traffic according to said rate-limiting state, wherein packets are forwarded normally during the in-profile forwarding state, one or more of the packets are selected during the out-of-profile leak state such that said selected packets are forwarded to a processing mechanism for processing said selected packets in order to analyze said selected packets to determine whether or not to modify said rate-liming packets of said packet traffic while a plurality of non-selected packets during the out-of-profile leak state are rate-limited of a first type, and packets during the out-of-profile rate-limiting state are rate-limited of a second type.
16. The apparatus of claim 15, comprising means for performing defensive action; wherein the processing mechanism is configured to identify a threat condition based on one or more of said selected packets, and said means for performing defensive action is responsive to said identifying the threat condition by the processing mechanism.
17. The apparatus of claim 15, wherein exactly one packet is selected during the out-of-profile leak state.
18. The apparatus of claim 15, wherein a plurality of particular packets are selected during the out-of-profile leak state, said particular packets including at least two consecutively received packets.
19. The apparatus of claim 15, wherein said means for identifying a current rate-limiting state includes means for identifying a current rate of packet traffic.
20. The apparatus of claim 19, wherein said means for identifying the current rate of packet traffic includes means for updating a token value.
21. The apparatus of claim 20, wherein the current rate of packet traffic includes a burst rate; wherein the token value is a main token value; and
wherein said means for identifying the current rate of packet traffic includes means for updating a burst token value corresponding to the burst rate.
22. A method of rate-limiting and sampling rate-limited packet traffic, the method comprising:
identifying a current rate of packet traffic for a classification of traffic, the current rate corresponding to one of a plurality of rate-limiting states, the plurality of rate-limiting states including an in-profile forwarding state corresponding to the current rate of packet traffic being below a first threshold, an out-of-profile leak state corresponding to the current rate of traffic being above the first threshold and below a second threshold, and an out-of-profile rate-limiting state corresponding to the current rate of traffic being above the second threshold; and
rate-limiting packets of said packet traffic according to said rate-limiting state corresponding to the current rate of packet traffic, wherein packets are forwarded normally during the in-profile forwarding state, one or more of the packets are selected during the out-of-profile leak state such that said selected packets are both forwarded normally and sent to a processing mechanism for processing in order to analyze said selected packets to determine whether or not to modify said rate-liming packets of said packet traffic, and packets during the out-of-profile rate-limiting state are forwarded normally or rate-limited of a second type.
23. The method of claim 22, wherein all packet are selected during the out-of-profile leak state.
24. The method of claim 22, wherein packets are not forwarded normally during the out-of-profile rate-limiting state.
US11/339,597 2006-01-25 2006-01-25 Sampling rate-limited traffic Active 2029-10-23 US8018845B2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US11/339,597 US8018845B2 (en) 2006-01-25 2006-01-25 Sampling rate-limited traffic

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US11/339,597 US8018845B2 (en) 2006-01-25 2006-01-25 Sampling rate-limited traffic

Publications (2)

Publication Number Publication Date
US20070171824A1 US20070171824A1 (en) 2007-07-26
US8018845B2 true US8018845B2 (en) 2011-09-13

Family

ID=38285449

Family Applications (1)

Application Number Title Priority Date Filing Date
US11/339,597 Active 2029-10-23 US8018845B2 (en) 2006-01-25 2006-01-25 Sampling rate-limited traffic

Country Status (1)

Country Link
US (1) US8018845B2 (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120092990A1 (en) * 2010-10-14 2012-04-19 T-Mobile Usa, Inc. Quality of Service Adjustments to Improve Network Utilization
US8799904B2 (en) 2011-01-21 2014-08-05 International Business Machines Corporation Scalable system call stack sampling
US8799872B2 (en) 2010-06-27 2014-08-05 International Business Machines Corporation Sampling with sample pacing
US8843684B2 (en) 2010-06-11 2014-09-23 International Business Machines Corporation Performing call stack sampling by setting affinity of target thread to a current process to prevent target thread migration
US9176783B2 (en) 2010-05-24 2015-11-03 International Business Machines Corporation Idle transitions sampling with execution context
US9418005B2 (en) 2008-07-15 2016-08-16 International Business Machines Corporation Managing garbage collection in a data processing system

Families Citing this family (166)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7051367B1 (en) * 2001-05-14 2006-05-23 Juniper Networks, Inc. Dynamically controlling packet processing
US7599287B2 (en) * 2002-11-15 2009-10-06 Cisco Technology, Inc. Tokens in token buckets maintained among primary and secondary storages
US8584239B2 (en) 2004-04-01 2013-11-12 Fireeye, Inc. Virtual machine with dynamic data flow analysis
US8793787B2 (en) 2004-04-01 2014-07-29 Fireeye, Inc. Detecting malicious network content using virtual environment components
US7587537B1 (en) 2007-11-30 2009-09-08 Altera Corporation Serializer-deserializer circuits formed from input-output circuit registers
US8566946B1 (en) 2006-04-20 2013-10-22 Fireeye, Inc. Malware containment on connection
US8539582B1 (en) 2004-04-01 2013-09-17 Fireeye, Inc. Malware containment and security analysis on connection
US8881282B1 (en) 2004-04-01 2014-11-04 Fireeye, Inc. Systems and methods for malware attack detection and identification
US9027135B1 (en) 2004-04-01 2015-05-05 Fireeye, Inc. Prospective client identification using malware attack detection
US8528086B1 (en) 2004-04-01 2013-09-03 Fireeye, Inc. System and method of detecting computer worms
US8171553B2 (en) 2004-04-01 2012-05-01 Fireeye, Inc. Heuristic based capture with replay to virtual machine
US8898788B1 (en) 2004-04-01 2014-11-25 Fireeye, Inc. Systems and methods for malware attack prevention
US9106694B2 (en) 2004-04-01 2015-08-11 Fireeye, Inc. Electronic message analysis for malware detection
US8549638B2 (en) 2004-06-14 2013-10-01 Fireeye, Inc. System and method of containing computer worms
US8077611B2 (en) * 2006-07-27 2011-12-13 Cisco Technology, Inc. Multilevel coupled policer
US8286244B2 (en) * 2007-01-19 2012-10-09 Hewlett-Packard Development Company, L.P. Method and system for protecting a computer network against packet floods
US8505091B2 (en) * 2007-04-30 2013-08-06 Hewlett-Packard Development Company, L.P. Method of protecting against denial-of-service attacks
US8850571B2 (en) 2008-11-03 2014-09-30 Fireeye, Inc. Systems and methods for detecting malicious network content
US8997219B2 (en) 2008-11-03 2015-03-31 Fireeye, Inc. Systems and methods for detecting malicious PDF network content
US20100333071A1 (en) * 2009-06-30 2010-12-30 International Business Machines Corporation Time Based Context Sampling of Trace Data with Support for Multiple Virtual Machines
US8832829B2 (en) 2009-09-30 2014-09-09 Fireeye, Inc. Network-based binary file extraction and analysis for malware detection
US9215151B1 (en) 2011-12-14 2015-12-15 Google Inc. Dynamic sampling rate adjustment for rate-limited statistical data collection
US9519782B2 (en) 2012-02-24 2016-12-13 Fireeye, Inc. Detecting malicious network content
US20140153388A1 (en) * 2012-11-30 2014-06-05 Hewlett-Packard Development Company, L.P. Rate limit managers to assign network traffic flows
US10572665B2 (en) 2012-12-28 2020-02-25 Fireeye, Inc. System and method to create a number of breakpoints in a virtual machine via virtual machine trapping events
US9159035B1 (en) 2013-02-23 2015-10-13 Fireeye, Inc. Framework for computer application analysis of sensitive information tracking
US9176843B1 (en) 2013-02-23 2015-11-03 Fireeye, Inc. Framework for efficient security coverage of mobile software applications
US9195829B1 (en) 2013-02-23 2015-11-24 Fireeye, Inc. User interface with real-time visual playback along with synchronous textual analysis log display and event/time index for anomalous behavior detection in applications
US9009823B1 (en) 2013-02-23 2015-04-14 Fireeye, Inc. Framework for efficient security coverage of mobile software applications installed on mobile devices
US9009822B1 (en) 2013-02-23 2015-04-14 Fireeye, Inc. Framework for multi-phase analysis of mobile applications
US9824209B1 (en) 2013-02-23 2017-11-21 Fireeye, Inc. Framework for efficient security coverage of mobile software applications that is usable to harden in the field code
US9367681B1 (en) 2013-02-23 2016-06-14 Fireeye, Inc. Framework for efficient security coverage of mobile software applications using symbolic execution to reach regions of interest within an application
US8990944B1 (en) 2013-02-23 2015-03-24 Fireeye, Inc. Systems and methods for automatically detecting backdoors
US9104867B1 (en) 2013-03-13 2015-08-11 Fireeye, Inc. Malicious content analysis using simulated user interaction without user involvement
US9355247B1 (en) 2013-03-13 2016-05-31 Fireeye, Inc. File extraction from memory dump for malicious content analysis
US9565202B1 (en) 2013-03-13 2017-02-07 Fireeye, Inc. System and method for detecting exfiltration content
US9626509B1 (en) 2013-03-13 2017-04-18 Fireeye, Inc. Malicious content analysis with multi-version application support within single operating environment
US9311479B1 (en) 2013-03-14 2016-04-12 Fireeye, Inc. Correlation and consolidation of analytic data for holistic view of a malware attack
US9430646B1 (en) 2013-03-14 2016-08-30 Fireeye, Inc. Distributed systems and methods for automatically detecting unknown bots and botnets
WO2014145805A1 (en) 2013-03-15 2014-09-18 Mandiant, Llc System and method employing structured intelligence to verify and contain threats at endpoints
US10713358B2 (en) 2013-03-15 2020-07-14 Fireeye, Inc. System and method to extract and utilize disassembly features to classify software intent
US9251343B1 (en) 2013-03-15 2016-02-02 Fireeye, Inc. Detecting bootkits resident on compromised computers
US9495180B2 (en) 2013-05-10 2016-11-15 Fireeye, Inc. Optimized resource allocation for virtual machines within a malware content detection system
US9635039B1 (en) 2013-05-13 2017-04-25 Fireeye, Inc. Classifying sets of malicious indicators for detecting command and control communications associated with malware
US9536091B2 (en) 2013-06-24 2017-01-03 Fireeye, Inc. System and method for detecting time-bomb malware
US10133863B2 (en) 2013-06-24 2018-11-20 Fireeye, Inc. Zero-day discovery system
US9300686B2 (en) 2013-06-28 2016-03-29 Fireeye, Inc. System and method for detecting malicious links in electronic messages
US9888016B1 (en) 2013-06-28 2018-02-06 Fireeye, Inc. System and method for detecting phishing using password prediction
US9690936B1 (en) 2013-09-30 2017-06-27 Fireeye, Inc. Multistage system and method for analyzing obfuscated content for malware
US9294501B2 (en) 2013-09-30 2016-03-22 Fireeye, Inc. Fuzzy hash of behavioral results
US9736179B2 (en) 2013-09-30 2017-08-15 Fireeye, Inc. System, apparatus and method for using malware analysis results to drive adaptive instrumentation of virtual machines to improve exploit detection
US10192052B1 (en) 2013-09-30 2019-01-29 Fireeye, Inc. System, apparatus and method for classifying a file as malicious using static scanning
US9628507B2 (en) 2013-09-30 2017-04-18 Fireeye, Inc. Advanced persistent threat (APT) detection center
US10515214B1 (en) 2013-09-30 2019-12-24 Fireeye, Inc. System and method for classifying malware within content created during analysis of a specimen
US10089461B1 (en) 2013-09-30 2018-10-02 Fireeye, Inc. Page replacement code injection
US9171160B2 (en) 2013-09-30 2015-10-27 Fireeye, Inc. Dynamically adaptive framework and method for classifying malware using intelligent static, emulation, and dynamic analyses
US9921978B1 (en) 2013-11-08 2018-03-20 Fireeye, Inc. System and method for enhanced security of storage devices
US9189627B1 (en) 2013-11-21 2015-11-17 Fireeye, Inc. System, apparatus and method for conducting on-the-fly decryption of encrypted objects for malware detection
US9756074B2 (en) 2013-12-26 2017-09-05 Fireeye, Inc. System and method for IPS and VM-based detection of suspicious objects
US9747446B1 (en) 2013-12-26 2017-08-29 Fireeye, Inc. System and method for run-time object classification
US9292686B2 (en) 2014-01-16 2016-03-22 Fireeye, Inc. Micro-virtualization architecture for threat-aware microvisor deployment in a node of a network environment
US9262635B2 (en) 2014-02-05 2016-02-16 Fireeye, Inc. Detection efficacy of virtual machine-based analysis with application specific events
US9241010B1 (en) 2014-03-20 2016-01-19 Fireeye, Inc. System and method for network behavior detection
US10242185B1 (en) 2014-03-21 2019-03-26 Fireeye, Inc. Dynamic guest image creation and rollback
US9591015B1 (en) 2014-03-28 2017-03-07 Fireeye, Inc. System and method for offloading packet processing and static analysis operations
US9432389B1 (en) 2014-03-31 2016-08-30 Fireeye, Inc. System, apparatus and method for detecting a malicious attack based on static analysis of a multi-flow object
US9223972B1 (en) 2014-03-31 2015-12-29 Fireeye, Inc. Dynamically remote tuning of a malware content detection system
US10715406B2 (en) 2014-04-25 2020-07-14 Hewlett Packard Enterprise Development Lp Flow sample
US9973531B1 (en) 2014-06-06 2018-05-15 Fireeye, Inc. Shellcode detection
US9594912B1 (en) 2014-06-06 2017-03-14 Fireeye, Inc. Return-oriented programming detection
US9438623B1 (en) 2014-06-06 2016-09-06 Fireeye, Inc. Computer exploit detection using heap spray pattern matching
US10084813B2 (en) 2014-06-24 2018-09-25 Fireeye, Inc. Intrusion prevention and remedy system
US10805340B1 (en) 2014-06-26 2020-10-13 Fireeye, Inc. Infection vector and malware tracking with an interactive user display
US9398028B1 (en) 2014-06-26 2016-07-19 Fireeye, Inc. System, device and method for detecting a malicious attack based on communcations between remotely hosted virtual machines and malicious web servers
US10002252B2 (en) 2014-07-01 2018-06-19 Fireeye, Inc. Verification of trusted threat-aware microvisor
US9363280B1 (en) 2014-08-22 2016-06-07 Fireeye, Inc. System and method of detecting delivery of malware using cross-customer data
US10671726B1 (en) 2014-09-22 2020-06-02 Fireeye Inc. System and method for malware analysis using thread-level event monitoring
US9773112B1 (en) 2014-09-29 2017-09-26 Fireeye, Inc. Exploit detection of malware and malware families
US10027689B1 (en) 2014-09-29 2018-07-17 Fireeye, Inc. Interactive infection visualization for improved exploit detection and signature generation for malware and malware families
KR101645598B1 (en) * 2014-12-18 2016-08-08 광주과학기술원 Method for Detecting Intrusion in Network
US9690933B1 (en) 2014-12-22 2017-06-27 Fireeye, Inc. Framework for classifying an object as malicious with machine learning for deploying updated predictive models
US10075455B2 (en) 2014-12-26 2018-09-11 Fireeye, Inc. Zero-day rotating guest image profile
US9934376B1 (en) 2014-12-29 2018-04-03 Fireeye, Inc. Malware detection appliance architecture
US9838417B1 (en) 2014-12-30 2017-12-05 Fireeye, Inc. Intelligent context aware user interaction for malware detection
US9690606B1 (en) 2015-03-25 2017-06-27 Fireeye, Inc. Selective system call monitoring
US10148693B2 (en) 2015-03-25 2018-12-04 Fireeye, Inc. Exploit detection system
US9438613B1 (en) 2015-03-30 2016-09-06 Fireeye, Inc. Dynamic content activation for automated analysis of embedded objects
US9483644B1 (en) 2015-03-31 2016-11-01 Fireeye, Inc. Methods for detecting file altering malware in VM based analysis
US10474813B1 (en) 2015-03-31 2019-11-12 Fireeye, Inc. Code injection technique for remediation at an endpoint of a network
US10417031B2 (en) 2015-03-31 2019-09-17 Fireeye, Inc. Selective virtualization for security threat detection
US9654485B1 (en) 2015-04-13 2017-05-16 Fireeye, Inc. Analytics-based security monitoring system and method
US9594904B1 (en) 2015-04-23 2017-03-14 Fireeye, Inc. Detecting malware based on reflection
US10454950B1 (en) 2015-06-30 2019-10-22 Fireeye, Inc. Centralized aggregation technique for detecting lateral movement of stealthy cyber-attacks
US11113086B1 (en) 2015-06-30 2021-09-07 Fireeye, Inc. Virtual system and method for securing external network connectivity
US10642753B1 (en) 2015-06-30 2020-05-05 Fireeye, Inc. System and method for protecting a software component running in virtual machine using a virtualization layer
US10726127B1 (en) 2015-06-30 2020-07-28 Fireeye, Inc. System and method for protecting a software component running in a virtual machine through virtual interrupts by the virtualization layer
US10715542B1 (en) 2015-08-14 2020-07-14 Fireeye, Inc. Mobile application risk analysis
US10176321B2 (en) 2015-09-22 2019-01-08 Fireeye, Inc. Leveraging behavior-based rules for malware family classification
US10033747B1 (en) 2015-09-29 2018-07-24 Fireeye, Inc. System and method for detecting interpreter-based exploit attacks
US10210329B1 (en) 2015-09-30 2019-02-19 Fireeye, Inc. Method to detect application execution hijacking using memory protection
US10706149B1 (en) 2015-09-30 2020-07-07 Fireeye, Inc. Detecting delayed activation malware using a primary controller and plural time controllers
US10817606B1 (en) 2015-09-30 2020-10-27 Fireeye, Inc. Detecting delayed activation malware using a run-time monitoring agent and time-dilation logic
US10601865B1 (en) 2015-09-30 2020-03-24 Fireeye, Inc. Detection of credential spearphishing attacks using email analysis
US9825989B1 (en) 2015-09-30 2017-11-21 Fireeye, Inc. Cyber attack early warning system
US9825976B1 (en) 2015-09-30 2017-11-21 Fireeye, Inc. Detection and classification of exploit kits
US10284575B2 (en) 2015-11-10 2019-05-07 Fireeye, Inc. Launcher for setting analysis environment variations for malware detection
US10846117B1 (en) 2015-12-10 2020-11-24 Fireeye, Inc. Technique for establishing secure communication between host and guest processes of a virtualization architecture
US10447728B1 (en) 2015-12-10 2019-10-15 Fireeye, Inc. Technique for protecting guest processes using a layered virtualization architecture
US10108446B1 (en) 2015-12-11 2018-10-23 Fireeye, Inc. Late load technique for deploying a virtualization layer underneath a running operating system
US10133866B1 (en) 2015-12-30 2018-11-20 Fireeye, Inc. System and method for triggering analysis of an object for malware in response to modification of that object
US10565378B1 (en) 2015-12-30 2020-02-18 Fireeye, Inc. Exploit of privilege detection framework
US10050998B1 (en) 2015-12-30 2018-08-14 Fireeye, Inc. Malicious message analysis system
US10621338B1 (en) 2015-12-30 2020-04-14 Fireeye, Inc. Method to detect forgery and exploits using last branch recording registers
US11552986B1 (en) 2015-12-31 2023-01-10 Fireeye Security Holdings Us Llc Cyber-security framework for application of virtual features
US10581874B1 (en) 2015-12-31 2020-03-03 Fireeye, Inc. Malware detection system with contextual analysis
US9824216B1 (en) 2015-12-31 2017-11-21 Fireeye, Inc. Susceptible environment detection system
US10476906B1 (en) 2016-03-25 2019-11-12 Fireeye, Inc. System and method for managing formation and modification of a cluster within a malware detection system
US10671721B1 (en) 2016-03-25 2020-06-02 Fireeye, Inc. Timeout management services
US10601863B1 (en) 2016-03-25 2020-03-24 Fireeye, Inc. System and method for managing sensor enrollment
US10785255B1 (en) 2016-03-25 2020-09-22 Fireeye, Inc. Cluster configuration within a scalable malware detection system
US10893059B1 (en) 2016-03-31 2021-01-12 Fireeye, Inc. Verification and enhancement using detection systems located at the network periphery and endpoint devices
US10826933B1 (en) 2016-03-31 2020-11-03 Fireeye, Inc. Technique for verifying exploit/malware at malware detection appliance through correlation with endpoints
US10169585B1 (en) 2016-06-22 2019-01-01 Fireeye, Inc. System and methods for advanced malware detection through placement of transition events
US10462173B1 (en) 2016-06-30 2019-10-29 Fireeye, Inc. Malware detection verification and enhancement by coordinating endpoint and malware detection systems
US10592678B1 (en) 2016-09-09 2020-03-17 Fireeye, Inc. Secure communications between peers using a verified virtual trusted platform module
US10491627B1 (en) 2016-09-29 2019-11-26 Fireeye, Inc. Advanced malware detection using similarity analysis
US10795991B1 (en) 2016-11-08 2020-10-06 Fireeye, Inc. Enterprise search
US10587647B1 (en) 2016-11-22 2020-03-10 Fireeye, Inc. Technique for malware detection capability comparison of network security devices
US10552610B1 (en) 2016-12-22 2020-02-04 Fireeye, Inc. Adaptive virtual machine snapshot update framework for malware behavioral analysis
US10581879B1 (en) 2016-12-22 2020-03-03 Fireeye, Inc. Enhanced malware detection for generated objects
US10523609B1 (en) 2016-12-27 2019-12-31 Fireeye, Inc. Multi-vector malware detection and analysis
US10454835B2 (en) 2017-01-20 2019-10-22 Google Llc Device and method for scalable traffic shaping with a time-indexed data structure
US10904286B1 (en) 2017-03-24 2021-01-26 Fireeye, Inc. Detection of phishing attacks using similarity analysis
US10848397B1 (en) 2017-03-30 2020-11-24 Fireeye, Inc. System and method for enforcing compliance with subscription requirements for cyber-attack detection service
US10902119B1 (en) 2017-03-30 2021-01-26 Fireeye, Inc. Data extraction system for malware analysis
US10791138B1 (en) 2017-03-30 2020-09-29 Fireeye, Inc. Subscription-based malware detection
US10798112B2 (en) 2017-03-30 2020-10-06 Fireeye, Inc. Attribute-controlled malware detection
US10855700B1 (en) 2017-06-29 2020-12-01 Fireeye, Inc. Post-intrusion detection of cyber-attacks during lateral movement within networks
US10601848B1 (en) 2017-06-29 2020-03-24 Fireeye, Inc. Cyber-security system and method for weak indicator detection and correlation to generate strong indicators
US10503904B1 (en) 2017-06-29 2019-12-10 Fireeye, Inc. Ransomware detection and mitigation
US10893068B1 (en) 2017-06-30 2021-01-12 Fireeye, Inc. Ransomware file modification prevention technique
US10747872B1 (en) 2017-09-27 2020-08-18 Fireeye, Inc. System and method for preventing malware evasion
US10805346B2 (en) 2017-10-01 2020-10-13 Fireeye, Inc. Phishing attack detection
US11108809B2 (en) 2017-10-27 2021-08-31 Fireeye, Inc. System and method for analyzing binary code for malware classification using artificial neural network techniques
US10691082B2 (en) * 2017-12-05 2020-06-23 Cisco Technology, Inc. Dynamically adjusting sample rates based on performance of a machine-learning based model for performing a network assurance function in a network assurance system
US11271955B2 (en) 2017-12-28 2022-03-08 Fireeye Security Holdings Us Llc Platform and method for retroactive reclassification employing a cybersecurity-based global data store
US11005860B1 (en) 2017-12-28 2021-05-11 Fireeye, Inc. Method and system for efficient cybersecurity analysis of endpoint events
US11240275B1 (en) 2017-12-28 2022-02-01 Fireeye Security Holdings Us Llc Platform and method for performing cybersecurity analyses employing an intelligence hub with a modular architecture
US10826931B1 (en) 2018-03-29 2020-11-03 Fireeye, Inc. System and method for predicting and mitigating cybersecurity system misconfigurations
US10956477B1 (en) 2018-03-30 2021-03-23 Fireeye, Inc. System and method for detecting malicious scripts through natural language processing modeling
US11003773B1 (en) 2018-03-30 2021-05-11 Fireeye, Inc. System and method for automatically generating malware detection rule recommendations
US11558401B1 (en) 2018-03-30 2023-01-17 Fireeye Security Holdings Us Llc Multi-vector malware detection data sharing system for improved detection
US11075930B1 (en) 2018-06-27 2021-07-27 Fireeye, Inc. System and method for detecting repetitive cybersecurity attacks constituting an email campaign
US11314859B1 (en) 2018-06-27 2022-04-26 FireEye Security Holdings, Inc. Cyber-security system and method for detecting escalation of privileges within an access token
US11228491B1 (en) 2018-06-28 2022-01-18 Fireeye Security Holdings Us Llc System and method for distributed cluster configuration monitoring and management
US11316900B1 (en) 2018-06-29 2022-04-26 FireEye Security Holdings Inc. System and method for automatically prioritizing rules for cyber-threat detection and mitigation
US11182473B1 (en) 2018-09-13 2021-11-23 Fireeye Security Holdings Us Llc System and method for mitigating cyberattacks against processor operability by a guest process
US11763004B1 (en) 2018-09-27 2023-09-19 Fireeye Security Holdings Us Llc System and method for bootkit detection
US12074887B1 (en) 2018-12-21 2024-08-27 Musarubra Us Llc System and method for selectively processing content after identification and removal of malicious content
US11368475B1 (en) 2018-12-21 2022-06-21 Fireeye Security Holdings Us Llc System and method for scanning remote services to locate stored objects with malware
US11258806B1 (en) 2019-06-24 2022-02-22 Mandiant, Inc. System and method for automatically associating cybersecurity intelligence to cyberthreat actors
US11556640B1 (en) 2019-06-27 2023-01-17 Mandiant, Inc. Systems and methods for automated cybersecurity analysis of extracted binary string sets
US11392700B1 (en) 2019-06-28 2022-07-19 Fireeye Security Holdings Us Llc System and method for supporting cross-platform data verification
US11886585B1 (en) 2019-09-27 2024-01-30 Musarubra Us Llc System and method for identifying and mitigating cyberattacks through malicious position-independent code execution
US11637862B1 (en) 2019-09-30 2023-04-25 Mandiant, Inc. System and method for surfacing cyber-security threats with a self-learning recommendation engine
CN114448901B (en) * 2020-10-19 2024-07-16 北京金山云网络技术有限公司 Flow peak clipping method and device, server, medium and electronic equipment

Citations (25)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4733390A (en) 1985-09-13 1988-03-22 Kabushiki Kaisha Toshiba Data transmission system
US5289517A (en) 1990-09-10 1994-02-22 Hitachi, Ltd. Digital pulse processing device
US5463620A (en) 1992-10-29 1995-10-31 At&T Ipm Corp. Bandwidth allocation, transmission scheduling, and congestion avoidance in broadband asynchronous transfer mode networks
US5864557A (en) 1996-09-25 1999-01-26 Thomson Multimedia S.A. Method and apparatus for opportunistically transferring data in a packet stream encoder
US5892766A (en) 1996-02-22 1999-04-06 Fujitsu, Ltd. Method and apparatus for coordinating access to an output of a routing device in a packet switching network
US5953338A (en) 1996-12-13 1999-09-14 Northern Telecom Limited Dynamic control processes and systems for asynchronous transfer mode networks
US6067301A (en) 1998-05-29 2000-05-23 Cabletron Systems, Inc. Method and apparatus for forwarding packets from a plurality of contending queues to an output
US6144662A (en) 1996-07-09 2000-11-07 International Business Machines Corporation Fast routing and non-blocking switch which accomodates multicasting and variable length packets
US6154829A (en) 1997-10-20 2000-11-28 Matsushita Electric Industrial Co., Ltd. Cascaded arithmetic pipeline data processor
US20010033581A1 (en) 2000-03-22 2001-10-25 Kenichi Kawarai Packet switch, scheduling device, drop control circuit, multicast control circuit and QoS control device
US20020087715A1 (en) * 2000-12-28 2002-07-04 Alcatel Marking determining device and related method
US6438134B1 (en) 1998-08-19 2002-08-20 Alcatel Canada Inc. Two-component bandwidth scheduler having application in multi-class digital communications systems
US6483839B1 (en) 1998-03-18 2002-11-19 Conexant Systems, Inc. Apparatus and method for scheduling multiple and simultaneous traffic in guaranteed frame rate in ATM communication system
US20020180540A1 (en) 2001-04-10 2002-12-05 Yoshitaka Hirai Lock detection circuit
US20030123449A1 (en) 2001-12-21 2003-07-03 Kuhl Timothy Harris Method and system for mediating traffic between an asynchronous transfer mode (ATM) network and an adjacent network
US20030152084A1 (en) 2001-09-19 2003-08-14 Barry Lee Differentiated services for a network processor
US6625266B1 (en) 1997-12-16 2003-09-23 Nokia Corporation Event pre-processing for composing a report
US6643293B1 (en) 1997-09-05 2003-11-04 Alcatel Canada Inc. Virtual connection shaping with hierarchial arbitration
US6678248B1 (en) 1997-08-29 2004-01-13 Extreme Networks Policy based quality of service
US20050152374A1 (en) 2004-01-14 2005-07-14 Cohen Earl T. Propagation of minimum guaranteed scheduling rates among scheduling layers in a hierarchical schedule
US20060029080A1 (en) 2004-08-05 2006-02-09 Cisco Technology, Inc., A California Corporation Using burst tolerance values in time-based schedules
US20060062144A1 (en) 2002-11-15 2006-03-23 Cisco Technology, Inc., A California Corporation Tokens in token buckets maintained among primary and secondary storages
US20060133279A1 (en) 2004-12-21 2006-06-22 Cisco Technology, Inc. Hierarchical multi-rate multi-precedence policer
US7215637B1 (en) * 2000-04-17 2007-05-08 Juniper Networks, Inc. Systems and methods for processing packets
US20080025214A1 (en) 2006-07-27 2008-01-31 Cisco Technology, Inc., A California Corporation Multilevel coupled policer

Patent Citations (26)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4733390A (en) 1985-09-13 1988-03-22 Kabushiki Kaisha Toshiba Data transmission system
US5289517A (en) 1990-09-10 1994-02-22 Hitachi, Ltd. Digital pulse processing device
US5463620A (en) 1992-10-29 1995-10-31 At&T Ipm Corp. Bandwidth allocation, transmission scheduling, and congestion avoidance in broadband asynchronous transfer mode networks
US5892766A (en) 1996-02-22 1999-04-06 Fujitsu, Ltd. Method and apparatus for coordinating access to an output of a routing device in a packet switching network
US6144662A (en) 1996-07-09 2000-11-07 International Business Machines Corporation Fast routing and non-blocking switch which accomodates multicasting and variable length packets
US5864557A (en) 1996-09-25 1999-01-26 Thomson Multimedia S.A. Method and apparatus for opportunistically transferring data in a packet stream encoder
US5953338A (en) 1996-12-13 1999-09-14 Northern Telecom Limited Dynamic control processes and systems for asynchronous transfer mode networks
US6678248B1 (en) 1997-08-29 2004-01-13 Extreme Networks Policy based quality of service
US6643293B1 (en) 1997-09-05 2003-11-04 Alcatel Canada Inc. Virtual connection shaping with hierarchial arbitration
US6154829A (en) 1997-10-20 2000-11-28 Matsushita Electric Industrial Co., Ltd. Cascaded arithmetic pipeline data processor
US6625266B1 (en) 1997-12-16 2003-09-23 Nokia Corporation Event pre-processing for composing a report
US6483839B1 (en) 1998-03-18 2002-11-19 Conexant Systems, Inc. Apparatus and method for scheduling multiple and simultaneous traffic in guaranteed frame rate in ATM communication system
US6067301A (en) 1998-05-29 2000-05-23 Cabletron Systems, Inc. Method and apparatus for forwarding packets from a plurality of contending queues to an output
US6438134B1 (en) 1998-08-19 2002-08-20 Alcatel Canada Inc. Two-component bandwidth scheduler having application in multi-class digital communications systems
US20010033581A1 (en) 2000-03-22 2001-10-25 Kenichi Kawarai Packet switch, scheduling device, drop control circuit, multicast control circuit and QoS control device
US7215637B1 (en) * 2000-04-17 2007-05-08 Juniper Networks, Inc. Systems and methods for processing packets
US20020087715A1 (en) * 2000-12-28 2002-07-04 Alcatel Marking determining device and related method
US20020180540A1 (en) 2001-04-10 2002-12-05 Yoshitaka Hirai Lock detection circuit
US20030152084A1 (en) 2001-09-19 2003-08-14 Barry Lee Differentiated services for a network processor
US20030123449A1 (en) 2001-12-21 2003-07-03 Kuhl Timothy Harris Method and system for mediating traffic between an asynchronous transfer mode (ATM) network and an adjacent network
US20060062144A1 (en) 2002-11-15 2006-03-23 Cisco Technology, Inc., A California Corporation Tokens in token buckets maintained among primary and secondary storages
US20050152374A1 (en) 2004-01-14 2005-07-14 Cohen Earl T. Propagation of minimum guaranteed scheduling rates among scheduling layers in a hierarchical schedule
US20060029080A1 (en) 2004-08-05 2006-02-09 Cisco Technology, Inc., A California Corporation Using burst tolerance values in time-based schedules
US20060029079A1 (en) 2004-08-05 2006-02-09 Cisco Technology, Inc. A California Corporation Pipeline scheduler including a hierarchy of schedulers and multiple scheduling lanes
US20060133279A1 (en) 2004-12-21 2006-06-22 Cisco Technology, Inc. Hierarchical multi-rate multi-precedence policer
US20080025214A1 (en) 2006-07-27 2008-01-31 Cisco Technology, Inc., A California Corporation Multilevel coupled policer

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
"Modular QoS CLI (MQC) Three-Level Hierarchical Policer", Cisco Systems, Inc., San Jose, CA, Oct. 1, 2004.
Cisco White Paper, "Transit Access Control Lists: Filtering at Your Edge", Aug. 15, 2003, Cisco, all pages. *
Heinanen et al., "A Single Rate Three Color Marker," RFC 2697, IETF, Sep. 1999.
Heinanen et al., "A Two Rate Three Color Marker," RFC 2698, IETF, Sep. 1999.

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9418005B2 (en) 2008-07-15 2016-08-16 International Business Machines Corporation Managing garbage collection in a data processing system
US9176783B2 (en) 2010-05-24 2015-11-03 International Business Machines Corporation Idle transitions sampling with execution context
US8843684B2 (en) 2010-06-11 2014-09-23 International Business Machines Corporation Performing call stack sampling by setting affinity of target thread to a current process to prevent target thread migration
US8799872B2 (en) 2010-06-27 2014-08-05 International Business Machines Corporation Sampling with sample pacing
US20120092990A1 (en) * 2010-10-14 2012-04-19 T-Mobile Usa, Inc. Quality of Service Adjustments to Improve Network Utilization
US8964544B2 (en) 2010-10-14 2015-02-24 T-Mobile Usa, Inc. Quality of service adjustments to improve network utilization
US9565318B2 (en) * 2010-10-14 2017-02-07 T-Mobile Usa, Inc. Quality of service adjustments to improve network utilization
US8799904B2 (en) 2011-01-21 2014-08-05 International Business Machines Corporation Scalable system call stack sampling

Also Published As

Publication number Publication date
US20070171824A1 (en) 2007-07-26

Similar Documents

Publication Publication Date Title
US8018845B2 (en) Sampling rate-limited traffic
CN109921996B (en) High-performance OpenFlow virtual flow table searching method
US6871265B1 (en) Method and apparatus for maintaining netflow statistics using an associative memory to identify and maintain netflows
US8170045B2 (en) Class-based bandwidth partitioning
US7499941B2 (en) Pipeline regular expression matching
EP2013759B1 (en) Detection of potential forwarding loops in bridged networks
US7941606B1 (en) Identifying a flow identification value mask based on a flow identification value of a packet
US7197597B1 (en) Performing lookup operations in a content addressable memory based on hashed values of particular use in maintaining statistics for packet flows
US8638793B1 (en) Enhanced parsing and classification in a packet processor
US7672293B2 (en) Hardware throttling of network traffic sent to a processor based on new address rates
US9407518B2 (en) Apparatus, system, and method for enhanced reporting and measurement of performance data
US9055114B1 (en) Packet parsing and control packet classification
US20150236895A1 (en) Apparatus, System, and Method for Enhanced Monitoring and Interception of Network Data
US8024787B2 (en) Packet firewalls of particular use in packet switching devices
US10069704B2 (en) Apparatus, system, and method for enhanced monitoring and searching of devices distributed over a network
US20070248110A1 (en) Dynamically switching streams of packets among dedicated and shared queues
US7403526B1 (en) Partitioning and filtering a search space of particular use for determining a longest prefix match thereon
CN110958245B (en) Attack detection method, device, equipment and storage medium
US8340090B1 (en) Interconnecting forwarding contexts using u-turn ports
US7787462B2 (en) Applying features to packets in the order specified by a selected feature order template
US20140298148A1 (en) Trend-analysis scheme for reliably reading data values from memory
US20140173102A1 (en) Apparatus, System, and Method for Enhanced Reporting and Processing of Network Data
Turkovic et al. Detecting heavy hitters in the data-plane
KR20060063564A (en) An apparatus for capturing internet protocol(ip) packet with sampling and signature searching function, and a method thereof
US7024515B1 (en) Methods and apparatus for performing continue actions using an associative memory which might be particularly useful for implementing access control list and quality of service features

Legal Events

Date Code Title Description
AS Assignment

Owner name: CISCO TECHNOLOGY, INC. A CORPORATION OF CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:RUELLO, NATALE;NAQVI, FARRUKH REZA;ELANGOVAN, ANUSANKAR;AND OTHERS;REEL/FRAME:017517/0788;SIGNING DATES FROM 20060113 TO 20060124

Owner name: CISCO TECHNOLOGY, INC. A CORPORATION OF CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:RUELLO, NATALE;NAQVI, FARRUKH REZA;ELANGOVAN, ANUSANKAR;AND OTHERS;SIGNING DATES FROM 20060113 TO 20060124;REEL/FRAME:017517/0788

STCF Information on status: patent grant

Free format text: PATENTED CASE

FPAY Fee payment

Year of fee payment: 4

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 8

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 12TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1553); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 12